Review of FDA Draft Guidance on Postmarket Management of Cybersecurity in Medical Devices*

The United States Food and Drug Administration (“FDA”) has recently released its January 2016 draft guidance entitled, “Postmarket Management of Cybersecurity in Medical Devices; Draft Guidance for Industry and Food and Drug Administration Staff.” [1] This draft guidance pertains to medical devices which are designed to be networked to facilitate patient care. “Medical device” may include medical devices which may contain software (including firmware) or programmable logic. In the alternative, the software itself may be a medical device.

The purpose of this guidance is to clarify FDA’s postmarket recommendations associated with mitigating cybersecurity threats to device functionality and device users. Further, FDA encourages manufacturers to implement an effective cybersecurity risk management program for both premarket [2] and postmarket lifecycle phases and to address cybersecurity from conception through obsolescence of the medical device. As an aid for medical device manufacturers to manage their cybersecurity risk, FDA encourages the use and adoption of the voluntary NIST Cybersecurity Framework, entitled “Framework for Improving Critical Infrastructure Cybersecurity.” [3, 4]

This guidance acknowledges that cybersecurity risks to medical devices are continually evolving and that it is not possible to completely mitigate risks using solely premarket controls. [5] It is quintessential, then, for manufacturers to implement comprehensive cybersecurity risk management programs and documentation in accordance with Quality System Regulation practices as set forth in 21 C.F.R. Part 820.

The cybersecurity risk management programs implemented by manufacturers should focus on expeditiously addressing vulnerabilities, especially when patient safety is a concern.[6] According to FDA, critical components of cybersecurity risk management programs are as follows: (1) monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk, (2) understanding, assessing, and detecting the presence and impact of a vulnerability, (3) establishing and communicating processes for vulnerability intake and handling, (4) clearly defining essential clinical performance to develop mitigations that protect, respond, and recover from the cybersecurity risk, (5) adopting a coordinated vulnerability disclosure policy and practice, and (6) deploying mitigations that address cybersecurity risk early and prior to exploitation.

In terms of managing cybersecurity risk, consistent with 21 C.F.R. Part 820, the manufacturer should establish, document, and maintain, throughout the entire lifecycle of the medical device, an ongoing process for medical device cybersecurity risk management (i.e., identify, protect, detect, respond, and recover from cybersecurity incidents). The cybersecurity risk management process should focus on the risk to the medical device’s essential clinical performance (i.e., performance that is necessary to achieve freedom from unacceptable clinical risk, as defined by the manufacturer). In terms of assessing the risk to the medical device’s essential clinical performance, two factors may be considered: (1) the exploitability of the cybersecurity vulnerability and (2) the severity of the health impact to patients, if the vulnerability were to be exploited.

With regard to the first factor (exploitability), estimating the probability of a cybersecurity exploit which affects the device’s essential clinical performance may not always be achievable. Accordingly, FDA suggests that manufacturers use a cybersecurity vulnerability assessment tool (e.g., the Common Vulnerability Scoring System, version 3.0) [7] or similar scoring system for rating vulnerabilities and gauging the need for and urgency of the response.

With regard to the second factor (severity of health impact), FDA gives one example of a methodology for conducting this type of analysis based on qualitative severity levels as set forth in ANSI/AAMI/ISO 14971: 2007/®2010: Medical Devices-Application of Risk Management to Medical Devices. The qualitative security levels range from negligible (e.g., inconvenience or temporary discomfort) to serious (e.g., results in injury or impairment requiring professional medical intervention), critical (e.g., results in permanent impairment or life-threatening injury), and catastrophic (e.g., results in patient death).

After the risk to the device’s essential clinical performance has been assessed, the risk then needs to be evaluated by the manufacturer to determine whether the risk is controlled (i.e., acceptable) [8] or uncontrolled (i.e., unacceptable). FDA states that the acceptability of the risk may be evaluated by using a matrix, wherein combinations of exploitability and severity of the health impact to patients. If the risk is determined by the manufacturer to be an uncontrolled risk, [9] then risk mitigations, including changes or compensating controls, should be implemented when necessary to bring the risk to an acceptable level—ideally, remediation of the vulnerabilities or, at least in the interim, work-arounds and/or temporary fixes.

However, there may be an instance wherein there is no remediation for a device with uncontrolled risk and a reasonable probability that use of, or exposure to, the device will cause serious adverse health consequences or death to the patient. In such a case, the device may be deemed to be in violation of the Federal Food, Drug, and Cosmetic Act and subject to enforcement or other action by FDA.

In terms of reporting to FDA, actions taken by manufacturers to address cybersecurity vulnerabilities and exploits are cybersecurity routine updates or patches, in which advance notification or reporting is not required to FDA under 21 C.F.R. Part 806. However, some cybersecurity vulnerabilities and exploits may compromise the essential clinical performance of a device and present a reasonable probability of serious adverse health consequences or death. In this case, FDA would require manufacturers to notify FDA in accordance with 21 C.F.R. §806.10. Further, for premarket approval (PMA) devices with periodic requirements under 21 C.F.R. §814.84, a periodic annual report must be submitted to FDA with information concerning cybersecurity vulnerabilities, device changes, and compensating controls.

In summary, FDA has made clear in its guidance that cybersecurity in medical devices is not optional and must be done, even for medical devices which do not require premarket approval. What is more, the cybersecurity risk management must be done throughout the entire lifecycle of the device and even as early as the conception and design stage. While the guidance has not been finalized and, thus is not for implementation at this stage, it clearly acknowledges that a cybersecurity vulnerability, if exploited, could potentially cause serious patient harm or even death. Moreover, the focus on this guidance is on the patient and, in particular, the safety of the patient. With all of this in mind, it seems that FDA is being proactive and current with the times.

* This article has been published in the February issue of the Journal of eHealth Law and Policy, a publication of Cecile Park Publishing, Ltd. It has been reprinted with permission from the publisher.

The FDA states in its FDA guidance document, entitled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” for medical device manufacturers to establish design inputs for their device related to cybersecurity and establish a cybersecurity vulnerability and management approach as part of the software validation and risk analysis that is required in accordance with 21 C.F.R. §820.30(g). See http://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm356190.pdf.

This draft guidance provides an appendix in Section IX entitled, “Elements of an Effective Postmarket Cybersecurity Program” which applies the NIST Cybersecurity Framework to a medical device manufacturer’s cybersecurity risk management program, in accordance with the recommendations as set forth in the guidance.

This draft guidance also notes on page 12 that “[d]esign, architecture, technology, and software development environment choices may result in the inadvertent incorporation vulnerabilities.”

This draft guidance states on page 12 that “[t]he presence of a vulnerability does not necessarily trigger patient safety concerns. Rather it is the impact of the vulnerability on the essential clinical performance of the device which may trigger patient safety concerns.”

FDA states that even when risk is determined to be controlled, medical device manufacturers should still promote good cyber hygiene and reduce cybersecurity risks, such as through routine updates and patches for the device.

FDA states that manufacturers should report vulnerabilities associated with uncontrolled risk to FDA in accordance with 21 C.F.R. Part 806, unless already reported under 21 C.F.R. Parts 803 or 1004. But, the FDA also notes that it does not intend to enforce reporting requirements under 21 C.F.R. Part 806, provided that all of the following requirements are met: (1) there are no known serious adverse events or deaths associated with the vulnerability, (2) within 30 days of learning of the vulnerability, the manufacturer identifies and implements device changes and/or compensating controls to bring the risk to an acceptable level and notifies users and (3) the manufacturer is a participating member of an ISAO, such as the National Health Information Sharing and Analysis Center (NH-ISAC). Moreover, FDA also states that the manufacturer should evaluate the device changes to assess the need to submit a premarket submission to the FDA.